Open mbland opened 9 years ago
Sounds like https://github.com/bitly/google_auth_proxy might need to be forked... myusa_auth_proxy FTW!
@afeld not sure i follow.
@mbland MyUSA does not require an OAuth integration. We have a passwordless authentication workflow that sends a single-use token to your email address.
@cpapazian google_auth_proxy
is an app that only lets traffic through if you are authenticated with google apps. I believe @afeld is saying that we should fork it and use MyUSA instead of G+.
:100: :+1:
'zactly. More info: https://github.com/18F/hub/blob/master/deploy/README.md#google-auth-proxy
Should also note that @GUI doesn't have access to our private Hub at the moment, because he doesn't have a GSA.gov email.
Ask, and ye shall receive! Behold: the changes needed to adapt the google_auth_proxy to MyUSA. You can try it out here: https://hub.18f.us/myusa/
Next steps:
/cc @adelevie
@mbland this is great!
I would fork it, rename and do MyUSA specific indeed. I think that the point of the g_a_p is to keep things extremely simple.
IMHO we should have everyone in MyUSA. Dogfooding FTW
I agree with @dlapiduz. g_a_p isn't a Golang flavor of Omniauth or Passport. It does one thing, simply. Same should apply to a MyUSA variant.
Also, to increase the :dog: :food: factor, I stood up a MyUSA OAuth-consuming Sinatra app on our Cloud Foundry. Demo: http://adelevie-myusa-consumer.cf.18f.us/, Source: https://github.com/18F/omniauth-myusa/pull/8/files
@mbland: Thanks for tackling this! Should this MyUSA login be functional yet? Or is this still in progress? I just tried logging in via this, and got a Client authentication failed due to unknown client, no client authentication included, or unsupported authentication method
error:
Or is this just me? I am the odd one that only has an @nrel.gov e-mail address, so maybe it's just my account that doesn't have access?
Ah, that's because the Hub isn't "public" yet. @adelevie could you set that up for me? (And for yourself; I got that same error for your app. ;-)
FYI: I did just open bitly/google_auth_proxy#65 to at least ask the authors' preference (as well as bitly/google_auth_proxy#66 to fix a bug I found).
@yozlet @adelevie @jackiekazil Regardless of the google_auth_proxy
development direction, what would y'all recommend as a strategy for getting 18F members (and everyone else in GSA currently in the guest users file) signed onto MyUSA? Should we just ask them all to register on https://alpha.my.usa.gov/ by a deadline? (Say, Friday, April 17? ;-)
Also, should we start making MyUSA registration part of the onboarding process?
I'll defer to @jackiekazil or anyone else on the MyUSA team if they think otherwise, but I'd hold off for now on corralling folks into MyUSA just yet. I'm still learning a lot as I onboard onto the project and I don't to overextend.
This definitely doesn't need to happen right away, @adelevie. Just wanted to put the question on the table, especially if we want to perhaps fold it into Fixit Day on April 17.
@mbland give me a couple of days to get you an answer I need to find concrete answers on a couple of things first. Please prompt me if I don't get back to you. ;-)
It should be noted too, that myusa will be open to public. I wonder how/if Midas is doing gov employee only restrictions? /cc @ultrasaurus
In order to potentially pitch the Hub to groups that don't use Google-managed domains, we need to investigate how we could potentially use MyUSA for Hub authentication.
cc: @yozlet @afeld @dlapiduz @cpapazian